amadey | 1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66

Analysis

max time kernel
148s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23-03-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
Size

1.9MB
MD5

fe5fb92c9379c5200e389e8fefe67acc
SHA1

ad9880b1ab2817b40c44bc876437fcb1c68567d5
SHA256

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66
SHA512

517464242e2dec2b51ae11e363b595feb29a356d1c084841b9cdc8d766191b5e3772515f79df814ec7848e03c3de51fcaf3e96d09cbc73d41c59cf76ecf86fd4
SSDEEP

49152:zN95fnWoybbzrDhbub/UK4x6++OuT06SnekjGqwz:B95vWxbPhbMcLI0nekBwz

Score

10^/10

amadey stealc discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

5 980 rundll32.exe
6 2140 rundll32.exe
16 1628 rundll32.exe
17 2456 rundll32.exe
Downloads MZ/PE file

flow	pid	process
5	980	rundll32.exe
6	2140	rundll32.exe
16	1628	rundll32.exe
17	2456	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe

Executes dropped EXE 7 IoCs

Processes:

explorgu.exechckik.exechrosha.exeISetup3.exeu1sg.0.exeu1sg.1.exeCGIEBAFHJJ.exe

pid process

2780 explorgu.exe
1492 chckik.exe
3420 chrosha.exe
2320 ISetup3.exe
1244 u1sg.0.exe
2388 u1sg.1.exe
244 CGIEBAFHJJ.exe

pid	process
2780	explorgu.exe
1492	chckik.exe
3420	chrosha.exe
2320	ISetup3.exe
1244	u1sg.0.exe
2388	u1sg.1.exe
244	CGIEBAFHJJ.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorgu.exe1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeu1sg.0.exerundll32.exerundll32.exerundll32.exe

pid process

3144 rundll32.exe
980 rundll32.exe
2140 rundll32.exe
1244 u1sg.0.exe
1244 u1sg.0.exe
2192 rundll32.exe
1628 rundll32.exe
2456 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3144	rundll32.exe
980	rundll32.exe
2140	rundll32.exe
1244	u1sg.0.exe
1244	u1sg.0.exe
2192	rundll32.exe
1628	rundll32.exe
2456	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe	upx
behavioral2/memory/2388-153-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/memory/2388-285-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exeexplorgu.exe

pid process

1180 1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
2780 explorgu.exe

Drops file in Windows directory 2 IoCs

Processes:

chckik.exe1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	chckik.exe
File created	C:\Windows\Tasks\explorgu.job	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3284	2320	WerFault.exe	ISetup3.exe
3696	1244	WerFault.exe	u1sg.0.exe
1564	1244	WerFault.exe	u1sg.0.exe
472	1244	WerFault.exe	u1sg.0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1sg.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1sg.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1sg.0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4048 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1500 PING.EXE

pid	process
4048	schtasks.exe

pid	process
1500	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exeexplorgu.exerundll32.exepowershell.exeu1sg.0.exerundll32.exepowershell.exe

pid	process
1180	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
1180	1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
2780	explorgu.exe
2780	explorgu.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
980	rundll32.exe
1636	powershell.exe
1636	powershell.exe
1244	u1sg.0.exe
1244	u1sg.0.exe
1244	u1sg.0.exe
1244	u1sg.0.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
692	powershell.exe
692	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1636 powershell.exe
Token: SeDebugPrivilege 692 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u1sg.1.exe

pid process

2388 u1sg.1.exe

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe

pid	process
2388	u1sg.1.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

explorgu.exerundll32.exerundll32.exechrosha.exeISetup3.exeu1sg.1.execmd.exerundll32.exerundll32.exeu1sg.0.execmd.exeCGIEBAFHJJ.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 1492	2780	explorgu.exe	chckik.exe
PID 2780 wrote to memory of 1492	2780	explorgu.exe	chckik.exe
PID 2780 wrote to memory of 1492	2780	explorgu.exe	chckik.exe
PID 2780 wrote to memory of 3144	2780	explorgu.exe	rundll32.exe
PID 2780 wrote to memory of 3144	2780	explorgu.exe	rundll32.exe
PID 2780 wrote to memory of 3144	2780	explorgu.exe	rundll32.exe
PID 3144 wrote to memory of 980	3144	rundll32.exe	rundll32.exe
PID 3144 wrote to memory of 980	3144	rundll32.exe	rundll32.exe
PID 980 wrote to memory of 2212	980	rundll32.exe	netsh.exe
PID 980 wrote to memory of 2212	980	rundll32.exe	netsh.exe
PID 980 wrote to memory of 1636	980	rundll32.exe	powershell.exe
PID 980 wrote to memory of 1636	980	rundll32.exe	powershell.exe
PID 2780 wrote to memory of 2140	2780	explorgu.exe	rundll32.exe
PID 2780 wrote to memory of 2140	2780	explorgu.exe	rundll32.exe
PID 2780 wrote to memory of 2140	2780	explorgu.exe	rundll32.exe
PID 3420 wrote to memory of 2320	3420	chrosha.exe	ISetup3.exe
PID 3420 wrote to memory of 2320	3420	chrosha.exe	ISetup3.exe
PID 3420 wrote to memory of 2320	3420	chrosha.exe	ISetup3.exe
PID 2320 wrote to memory of 1244	2320	ISetup3.exe	u1sg.0.exe
PID 2320 wrote to memory of 1244	2320	ISetup3.exe	u1sg.0.exe
PID 2320 wrote to memory of 1244	2320	ISetup3.exe	u1sg.0.exe
PID 2320 wrote to memory of 2388	2320	ISetup3.exe	u1sg.1.exe
PID 2320 wrote to memory of 2388	2320	ISetup3.exe	u1sg.1.exe
PID 2320 wrote to memory of 2388	2320	ISetup3.exe	u1sg.1.exe
PID 2388 wrote to memory of 4084	2388	u1sg.1.exe	cmd.exe
PID 2388 wrote to memory of 4084	2388	u1sg.1.exe	cmd.exe
PID 2388 wrote to memory of 4084	2388	u1sg.1.exe	cmd.exe
PID 4084 wrote to memory of 4284	4084	cmd.exe	chcp.com
PID 4084 wrote to memory of 4284	4084	cmd.exe	chcp.com
PID 4084 wrote to memory of 4284	4084	cmd.exe	chcp.com
PID 4084 wrote to memory of 4048	4084	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 4048	4084	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 4048	4084	cmd.exe	schtasks.exe
PID 3420 wrote to memory of 2192	3420	chrosha.exe	rundll32.exe
PID 3420 wrote to memory of 2192	3420	chrosha.exe	rundll32.exe
PID 3420 wrote to memory of 2192	3420	chrosha.exe	rundll32.exe
PID 2192 wrote to memory of 1628	2192	rundll32.exe	rundll32.exe
PID 2192 wrote to memory of 1628	2192	rundll32.exe	rundll32.exe
PID 1628 wrote to memory of 1192	1628	rundll32.exe	netsh.exe
PID 1628 wrote to memory of 1192	1628	rundll32.exe	netsh.exe
PID 1628 wrote to memory of 692	1628	rundll32.exe	powershell.exe
PID 1628 wrote to memory of 692	1628	rundll32.exe	powershell.exe
PID 1244 wrote to memory of 3496	1244	u1sg.0.exe	cmd.exe
PID 1244 wrote to memory of 3496	1244	u1sg.0.exe	cmd.exe
PID 1244 wrote to memory of 3496	1244	u1sg.0.exe	cmd.exe
PID 3496 wrote to memory of 244	3496	cmd.exe	CGIEBAFHJJ.exe
PID 3496 wrote to memory of 244	3496	cmd.exe	CGIEBAFHJJ.exe
PID 3496 wrote to memory of 244	3496	cmd.exe	CGIEBAFHJJ.exe
PID 244 wrote to memory of 3264	244	CGIEBAFHJJ.exe	cmd.exe
PID 244 wrote to memory of 3264	244	CGIEBAFHJJ.exe	cmd.exe
PID 244 wrote to memory of 3264	244	CGIEBAFHJJ.exe	cmd.exe
PID 3264 wrote to memory of 1500	3264	cmd.exe	PING.EXE
PID 3264 wrote to memory of 1500	3264	cmd.exe	PING.EXE
PID 3264 wrote to memory of 1500	3264	cmd.exe	PING.EXE
PID 3420 wrote to memory of 2456	3420	chrosha.exe	rundll32.exe
PID 3420 wrote to memory of 2456	3420	chrosha.exe	rundll32.exe
PID 3420 wrote to memory of 2456	3420	chrosha.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe
"C:\Users\Admin\AppData\Local\Temp\1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1492
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2140

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\1000068001\ISetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1000068001\ISetup3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\u1sg.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1sg.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:244
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:1500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2176
      4⤵
      Program crash
      PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2488
      4⤵
      Program crash
      PID:1564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 2716
      4⤵
      Program crash
      PID:472
- - C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 1160
    3⤵
    - Program crash
    PID:3284
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:692
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2320 -ip 2320
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1244 -ip 1244
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1244 -ip 1244
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1244 -ip 1244
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d7b4d64e9f3d2c668329d6fdf08a8b26

SHA1
853f697af9dd1dcb56aa85894333be09e783aa73

SHA256
58ac1a3b3898a293d401f3f01e65540b22d0a2ece6a96fa3d19ce44a235d95d1

SHA512
8e46f2edecdaf65c1c9ac615c03a3ef4062ee193c25f2fa4697b264e05e398b2b95fa670e5045e5376129d5c7093eaf78a6b33146c24a58fb109db5ff2c14c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.9MB

MD5
fe5fb92c9379c5200e389e8fefe67acc

SHA1
ad9880b1ab2817b40c44bc876437fcb1c68567d5

SHA256
1daf3edd8b1e5ddf07044681f46fce0dca5bb5ee3c951396bb9b95aca97b0e66

SHA512
517464242e2dec2b51ae11e363b595feb29a356d1c084841b9cdc8d766191b5e3772515f79df814ec7848e03c3de51fcaf3e96d09cbc73d41c59cf76ecf86fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000068001\ISetup3.exe

Filesize
463KB

MD5
867226025a5e61faeca7157a95061607

SHA1
9c8f6d59663625b31bbc41d5b7ecb2381474432c

SHA256
eb23bd38359eab51092a1322cd491a109532bb42d90a6345ab720e5b95d6c5d8

SHA512
d4cf1e20a516c319a9a783a478b3db9a8cfbf692e4919d4ce41b2816111879d03de8e0a9c6fce923e11f7c53d716f93b984b12b19ca3c27c8e2ad855b2fe2d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip

Filesize
109KB

MD5
d02c5c8f4067af6c9677aa8b0b1dbc06

SHA1
794393c2cf66d8925035c49cf6aa489717f00ae8

SHA256
c934e8013c31e6e23588a099a1fc4c6daa21dbc366fd48f3344fb59e1457109e

SHA512
a0f0381a0a82d6ac027db5a1807f6986b15a97890f008259bd3c80689552615910b02551b3ba332cf4a1223b4fe6427c8d73593557a8be39fcab6a2e220c36c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CGIEBAFHJJ.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ResumeClear.docx

Filesize
108KB

MD5
58a3e46ff670b703541cdfb5cb254148

SHA1
16963a51bff6973f73985f1abc11b8a062de5676

SHA256
d9beab56cbdade59318d09792abfa3b3f0906edb55a7863bc277d2b457df8339

SHA512
4255d5134421d324d7e5e0f5b159b27077be3c918b3f0b3a2fdadb743d01e744ffa77cf77f5b439ed65cdab2ce967bba0f1a23720b15e3bf7f1628d119589715

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asmgtg0z.lxw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1sg.0.exe

Filesize
318KB

MD5
79deaafd0a3a2c3169b829d46f30fe96

SHA1
f3c516a4849f6c410558e41b071eb1cd05c653be

SHA256
5bd7ec83664f95b125355c5e064959dee0290894eda22675df264c7a172627a7

SHA512
e4bb4d9248b6c2f84d4eafa502c2739851ee72c39590a41379e34a7f1a5ad67e354e5c99c0127b7557de7a73f85a4eb0fe4f6728576e396e1f059a8bab81126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1sg.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/244-279-0x0000000071630000-0x0000000071DE1000-memory.dmp

Filesize
7.7MB

Download
memory/244-274-0x0000000071630000-0x0000000071DE1000-memory.dmp

Filesize
7.7MB

Download
memory/244-275-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/244-273-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

Filesize
128KB

Download
memory/692-282-0x00007FFD5F0D0000-0x00007FFD5FB92000-memory.dmp

Filesize
10.8MB

Download
memory/692-259-0x0000021C99800000-0x0000021C99810000-memory.dmp

Filesize
64KB

Download
memory/692-258-0x0000021C99800000-0x0000021C99810000-memory.dmp

Filesize
64KB

Download
memory/692-257-0x00007FFD5F0D0000-0x00007FFD5FB92000-memory.dmp

Filesize
10.8MB

Download
memory/1180-11-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1180-5-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1180-0-0x00000000007D0000-0x0000000000CA2000-memory.dmp

Filesize
4.8MB

Download
memory/1180-1-0x0000000077346000-0x0000000077348000-memory.dmp

Filesize
8KB

Download
memory/1180-16-0x00000000007D0000-0x0000000000CA2000-memory.dmp

Filesize
4.8MB

Download
memory/1180-2-0x00000000007D0000-0x0000000000CA2000-memory.dmp

Filesize
4.8MB

Download
memory/1180-3-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1180-10-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1180-9-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/1180-8-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1180-7-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1180-6-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1244-272-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1244-139-0x0000000000D90000-0x0000000000E90000-memory.dmp

Filesize
1024KB

Download
memory/1244-140-0x0000000002850000-0x0000000002877000-memory.dmp

Filesize
156KB

Download
memory/1244-141-0x0000000000400000-0x0000000000AF8000-memory.dmp

Filesize
7.0MB

Download
memory/1244-159-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1636-72-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/1636-75-0x000001727CA50000-0x000001727CA60000-memory.dmp

Filesize
64KB

Download
memory/1636-71-0x000001727CA20000-0x000001727CA42000-memory.dmp

Filesize
136KB

Download
memory/1636-73-0x000001727CA50000-0x000001727CA60000-memory.dmp

Filesize
64KB

Download
memory/1636-83-0x00007FFD5F210000-0x00007FFD5FCD2000-memory.dmp

Filesize
10.8MB

Download
memory/1636-78-0x000001727CAA0000-0x000001727CAAA000-memory.dmp

Filesize
40KB

Download
memory/1636-77-0x000001727CAC0000-0x000001727CAD2000-memory.dmp

Filesize
72KB

Download
memory/1636-76-0x000001727CA50000-0x000001727CA60000-memory.dmp

Filesize
64KB

Download
memory/2320-126-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/2320-125-0x0000000002830000-0x000000000289E000-memory.dmp

Filesize
440KB

Download
memory/2320-155-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/2320-124-0x0000000000D40000-0x0000000000E40000-memory.dmp

Filesize
1024KB

Download
memory/2388-153-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2388-154-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2388-285-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2388-287-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2780-22-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2780-234-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-103-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-100-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-99-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-98-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-86-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-85-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-74-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-49-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-28-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2780-27-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2780-23-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/2780-24-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2780-25-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2780-26-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2780-21-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/2780-286-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-20-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-19-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-300-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-302-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-304-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-306-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-309-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download
memory/2780-311-0x00000000004E0000-0x00000000009B2000-memory.dmp

Filesize
4.8MB

Download